Malicious PDF — malware analysis report

Static analysis result for SHA-256 b528a95bb5062506…

MALICIOUS

PDF

806.5 KB First seen: 2026-05-10
MD5: 64a3b465693a07c956fcead759d18126 SHA-1: 237daed6cb65700aee83d258e982f187e75554f5 SHA-256: b528a95bb5062506917553c822e75d0ffb541db5757553f7672dd19516f042ff
60 Risk Score

🔏 Digital signature Modified after signing

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file exhibits multiple suspicious characteristics, including embedded files and JavaScript actions. The presence of an embedded script payload and extracted artifacts like 'embedded_file_obj0012.bin' strongly indicates an attempt to execute malicious code. The specific nature of the payload is unclear due to obfuscation, but the overall pattern points to a downloader or dropper.

Machine Learning

  • Nyx PDF Classifier clean score 0.0272

Heuristics 9

  • Active content added after the PDF was signed medium PDF_SIGNATURE_POST_SIGN_MODIFICATION
    An incremental update appended AFTER the signed byte range introduces active content (/EmbeddedFile). Some of this can occur in legitimate form-fill (field scripts, a rewritten /Catalog), so it is suspicious rather than damning — but it is content the signer did not approve.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 Referenced by PDF JavaScript
    • http://www.monotype.comMonotypeReferenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
    • http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • https://www.verisign.com/rpa01Referenced by PDF JavaScript
    • http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
    • http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.5/Referenced by PDF JavaScript
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.1/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
    • http://ns.adobe.com/xtd/In PDF document text
    • http://ns.adobe.com/xfdf/In PDF document text

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0010.bin pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x644AC 85 bytes
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb
embedded_file_obj0011.bin pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x6455F 1972 bytes
SHA-256: f8bb8e107f65e36230e42b49595be52a26aba919be64f79912779f9aa14be94f
embedded_file_obj0012.bin pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x648CF 158493 bytes
SHA-256: dee911764c235ba85655acd16af2a0004aac39f312a291d7d3217902e15224b4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
1276 of 1918 identifiers look randomly generated (e.g. 'kXBlB3j3adcFzoPrvf4bjmqUvfCfPjs9aAX3QMR5'); 10 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 3 long base64-like blob(s).
embedded_file_obj0013.bin pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x7140D 2415 bytes
SHA-256: a8d2cd1302a8c7607ceca6ddec6efe61839bcac8f71b8bc5932623262cbe2d70
embedded_file_obj0014.bin pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x716FC 466 bytes
SHA-256: 441c565d3a05ee37191a9ee67da217d63b78e19662ebf712cd550108da120404
embedded_file_obj0015.bin pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x71867 200 bytes
SHA-256: 500856001a9edb17a299f41c8b34871c12c85d56ec8eff03ef181fca24bb96b5
embedded_file_obj0016.bin pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x7195C 1533 bytes
SHA-256: b4106264dd4462e3357e3e07ffb372b3916a166cab1de3c1ed9053807f1b6092
embedded_file_obj0017.bin pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x71C21 80 bytes
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19
embedded_file_obj0018.bin pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x71CCC 581 bytes
SHA-256: f76aaf85c7e88608ebc76d0188d5b6090874fe3d2532f577feed4908e4530a52
embedded_file_obj0671.bin pdf-embedded-file PDF EmbeddedFile object 671 at offset 0x9F94C 223225 bytes
SHA-256: 57a8624ee218b0e640ec6b78347b4c41ff5b3e6c1928d1a59eff747c3b2aed76
Detection
ClamAV: No threats found
Obfuscation or payload: likely
4536 of 6733 identifiers look randomly generated (e.g. 'k4BoAUUp60mc0dutACnjmjjtR2o6jFACHnApR1pc'); 25 string-concatenation chain(s) — consistent with name-mangling obfuscation.
embedded_file_obj0683.bin pdf-embedded-file PDF EmbeddedFile object 683 at offset 0xC8795 2556 bytes
SHA-256: 577bbbcf4d4809796239c5898906ed9299b5668ce155394c96aad5ce888e9c77
stream_002_off00002f1e.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F1E 1532 bytes
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8
stream_003_off0000310a.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x310A 870 bytes
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb
stream_064_off0002257d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2257D 40238 bytes
SHA-256: fcea4a28918936bdcb7a5feb0ce1099c70e87f9d43dc5faeb142436b2c05626e
stream_071_off0002a6eb.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A6EB 367087 bytes
SHA-256: b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa
objstm_0525_00.bin pdf-objstm-decoded PDF /ObjStm 525 0 obj (inflated) 27614 bytes
SHA-256: 980e520aea90301813211f8908fbcb2fa0fdedb66d003a426fe127529ebb71ed
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
font_00_sfnt_off00007b55.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7B55 95975 bytes
SHA-256: c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949
font_01_cff_off000298bf.bin pdf-font-stream PDF embedded font (cff) at offset 0x298BF 2091 bytes
SHA-256: 14813550fd49ff3d87cfd6be61f8a2cf43d9161cb67f0c8630b0a2463c0edecb
font_02_sfnt_off0005cefe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5CEFE 36717 bytes
SHA-256: 3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3

Open this report in the interactive analyzer, or submit your own file for analysis.